
2020 IEEE Intl Conf on Parallel & Distributed Processing with Applications, Big Data & Cloud Computing, Sustainable Computing & Communications, Social Computing & Networking (ISPA/BDCloud/SocialCom/SustainCom) ASPGen: an Automatic Security Policy Generating Framework for AppArmor Yun Li, Chenlin Huang, Lu Yuan, Yan Ding Hua Cheng College of Computer, National State Key Laboratory of Mathematical University of Defense Technology Engineering and advanced computing Chang Sha, China Wu Xi, China liyun18, clhuang, [email protected], dingyan [email protected] [email protected] Abstract—The security of the operating system has always be denied. A thorough and professional analysis is required been the basis of information systems. Several security frame- for the generation of security policies. However, due to the works have been proposed to enhance the security of the complexity in software, large amounts of access control rules operating system, such as SELinux and AppArmor. However, the major drawback of these solutions is the complexity of the have to be configured or programmed in security policy security policy configuration in which strong professionalism configuration files to meet the strict security requirements, is required. Therefore, there are many related studies on which makes it impossible for normal users to configure optimizing the process of configuring security policies, but so security policies for a new application. far the involvement of security experts is still required. In this SELinux is the most famous MAC solution in Linux paper, we aim to further optimize the AppArmor’s security policy generating process and propose ASPGen, which is a because of its strict policies, but it is overly complex novel framework for generating AppArmor security policies and unbefitting ordinary user management. To reduce the automatically. ASPGen can autogenerate security policy with complexity in security policies, a path-based MAC solu- the least privilege and RBAC (Role-Based Access Control) for tion AppArmor is designed and implemented which binds applications, and effectively alleviate the complexity and sub- access control attributes to software rather than to users. jectivity in manually configuring AppArmor’s security policy, as well as the security threats that result from the improper The security policy is centrally controlled by the security policy. We implement the prototype of ASPGen in Ubuntu administrator and the user has no right to override the policy 16.04. Unlike previous approaches, ASPGen does not depend in AppArmor. To ease the burden of policy generating, an on experts after the expert system is built. In our experimental audit and rule-judging mechanism is provided in AppArmor. evaluation, several typical applications are chosen and generate A security expert is required to run the application with the their AppArmor security policies with ASPGen. The complete- ness and precision of the generated policies are evaluated and a goal of achieving higher code coverage when the application case of mysql-server is thoroughly analyzed by comparing the is misbehaving by accessing points in LSM (Linux Security default AppArmor security policies with the policies generated Module), audit messages are sent to the log files. Then the by ASPGen. The evaluation demonstrates that the policy expert generates a corresponding policy by selecting the generated by ASPGen is complete, precise, and fine-grained, granted permission based on the logs. The policy config- even without expert intervention. Our contribution can be further improved with a more general and intelligent security uration file can be generated by recording the operations policy generating mechanism and is being extended to support allowed by the application, and any operations not listed are other security frameworks including SELinux and SEAndroid. denied. There are two major drawbacks with the existing solu- Keywords-Mandatory Access Control; AppArmor; RBAC; tion: imposing intense manual labor and generating coarse- grained AppArmor policies only. To meet these challenges, I. INTRODUCTION we propose ASPGen, an AppArmor Security Policy Gen- The security of the operating system is the foundation of erating framework based on an expert system, which re- information systems. As the core of the security architecture duces the dependence on human experts when generating in the operating system, MAC (Mandatory Access Control) AppArmor policy. ASPGen contains three stages, as shown determines whether to allow a subject access to objects by in Fig.1. First, a more complete dataset of apparmor-related comparing the security attributes of subject and object. The logs is obtained by running the application or collecting mainstream MAC solutions include SELinux, AppArmor, the history logs extensively. Second, an expert system is Smack, and so on. They protect the operating system and established to guide whether the permissions required for applications against threats from attacks and misbehaves by the resource are granted. Finally, the security policies are limiting the access to resources according to pre-defined automatically generated for the specified application by security policies. These policies specify how to control an expert system. We implement ASPGen’s prototype in user access to each upcoming access path in the specific Ubuntu 16.04, and its effectiveness and ease-of-use are application and what types of unauthorized access should evaluated by analyzing five commonly used applications. 978-0-7381-3199-3/20/$31.00 ©2020 IEEE 392 DOI 10.1109/ISPA-BDCloud-SocialCom-SustainCom51426.2020.00075 The evaluation results demonstrate the effectiveness of our the feature of the security framework that records autdit framework, which achieves an expected precision and com- logs. EASEAndroid [3] is the first SEAndroid analysis pleteness. ASPGen can wildly generate security policies for platform for automatic policy analysis and refinement, which various Linux applications. can analyze audit logs by semi-supervised learning. [8] Our contributions can be summarized as follows: mines audit logs by machine learning to automatically • A path-based confidence model for AppArmor is pro- generate SELinux policy. These methods need to collect posed to support the auto-generation of security policy, a large amount of log information from different models which follows the principle of the least privilege and of machines, which may violate user privacy. SPOKE [4] infers permissions based on the matching degree of extracts domain knowledges from rich-semantic functional the resource paths and the frequency of the chosen tests and uses these knowledge to represent the attack permission. surface of SEAndroid policy rules. In addition, SELinux • An expert system based on the path-based confi- has also released some automatic policy generation tools, dence model is designed to guide policy generation, the audit2allow [6] of which converts the audit log into in which a knowledge base is constructed by cate- rules to automatically generate and refine SELinux policies. gorizing resource objects and assigning access rights Because there is a problem the same as [5], the conversion of each category for each role. According to our process of audit2allow is very mechanical, and cannot know research, there is currently no public knowledge base the true intentions of the user operations, which give rise to a for guiding AppArmor security policy generation, we problem of over-privilege. PyBE [7] resolves this problem by have made the knowledge base available at http- specifying user-specific security policies. It predicts policy s://github.com/lyeeer/ASPGen. decisions for new scenarios, based on the policy examples • A novel AppArmor security policies auto-generating provided by users. The policy decisions specify if actions framework based on the expert system is proposed and should be allowed or denied in certain scenarios. implemented, which offers a fine-grained generation Role-Based Access Control. RBAC [10]–[12] focuses on capability, and reduces reliance on the intensive labor the relationship between USERS, ROLES and PERMIS- of human experts. In our evaluation of ASPGen with SIONS, where USERS perform ROLES, and users deter- five typical applications, ASPGen successfully obtains mine permissions based on their roles, as shown in Fig.2. a total of 337 apparmor-related logs and auto-generates In addition to common user roles, system administrators, a total of 337 security rules accordingly. By comparing security administrators, and audit administrators are intro- with the default security policy, the completeness and duced based on the principle of separation of the powers. precision of the security policy generated by ASPGen In terms of permission scope, the system administrator is is evaluated. responsible for the entire system user group, role, user cre- The rest of this paper is organized as follows. The related ation, and permission assignment. The security administrator work is discussed in Section 2. The operating principle and shall audit the authorization of a special role or user group. design of ASPGen are explained in detail in Section 3. The audit administrator shall inspect the system audit log to Section 4 presents the experimental setup and evaluates the supervise other administrators and common users who shall performance of ASPGen. Finally, future work is concluded not have the right to create users and authorize approval. in Section 5. Research on minimizing privileges usually
Details
-
File Typepdf
-
Upload Time-
-
Content LanguagesEnglish
-
Upload UserAnonymous/Not logged-in
-
File Pages9 Page
-
File Size-